Detects network share disconnection attempts using command-line tools like net use /delete, PowerShell Remove-SmbMapping, and correlation with process lineage and SMB session teardown activity.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Network Traffic Content (DC0085) | NSM:Flow | SMB2_LOGOFF/SMB_TREE_DISCONNECT |
| Field | Description |
|---|---|
| TimeWindow | Adjustable window to correlate CLI disconnection command with SMB session teardown (e.g., 5 mins) |
| UserContext | Used to filter on non-interactive users or highly privileged accounts |
| ProcessCommandLineRegex | Patterns to match `net use \\host\share /delete`, `Remove-SmbMapping`, or suspicious batched disconnections |
| NetworkShareNamePattern | Tunable list of shares likely targeted (e.g., ADMIN$, C$, IPC$) |